How will the GDPR impact Canadian tech companies?
Written by Jordan Prokopy, Director & Privacy Practice Leader at PwC Canada
This article was originally published on BetaKit — to view the full piece, click here.
For months, the European Union’s General Data Protection Regulation (GDPR) has felt like a distant point on the horizon — within sight, but still far away. Now, that distant point is a whole lot closer, and getting harder to ignore.
Over the next several months, implementation of the GDPR is likely to be a significant challenge for Canadian tech companies. As I’ve written about before, its stated purpose is to strengthen the protection of personal data, and create a set of “data rights” for EU residents. As a result, it will regulate the flow of data across borders. This will have an immediate impact on companies that rely on cloud services to do business with EU residents, as well as any companies that have European clients or customers, or process EU resident data on behalf of clients.
Going for Series A or Series B funding? Be prepared to answer questions about GDPR compliance. Looking for a buyout? Your data protection practices (or lack thereof) may have a big impact on your valuation.
As you can imagine, the ripples of GDPR will be widely felt. But for the Canadian tech industry, the most significant risks may be less obvious. If your company has a material data breach, expect to receive regulator attention. Going for Series A or Series B funding? Be prepared to answer questions about GDPR compliance. Looking for a buyout? Your data protection practices (or lack thereof) may have a big impact on your valuation. As a tech company, if you’re found noncompliant, you may also risk having entire databases deleted.
This may sound daunting, but there’s no need to panic. Canada has privacy legislation at the provincial and federal levels that share some characteristics with the GDPR. The key is to start understanding its complexities, so that you can be prepared. Now is the time to get your house in order, and here are some initial suggestions on actions you can take:
- Perform data mapping and a GDPR assessment
Don’t waste time “boiling the ocean”: take a risk-based approach to GDPR compliance and figure out where you might be most susceptible, and then prioritize accordingly. Conduct a data mapping exercise to determine exactly what data you have, where it’s located, and how it flows both into and out of your organization and across borders. This will also help you determine whether you’re a data controller or a data processor — an important distinction as you work towards compliance. Once you know this, you can start to understand where you handle and store EU data. - Focus on top-priority risks
The GDPR is a wide-ranging regulation, and it’s easy to get bogged down in the different impacts it could have on your business. But we live in the real world, and so do regulators, who will have to make hard choices about their priorities. As a Canadian tech leader, it makes sense to focus on mission-critical business functions and those lines of business that could attract the attention of regulators first, such as your ongoing marketing efforts or the development of any products that leverage personal data in new ways. - Rethink how you manage data
For some companies, the most viable strategy may be to change data management activities on the EU-related portion of the business. How does the EU version of your website track usage? Can you stop serving targeted advertising to individuals in the EU? Are there opportunities to anonymize data so you are not subject to GDPR, or pseudonymize data to reduce GDPR responsibilities? You need to start thinking differently about how you’re managing EU data now if you want to avoid issues before they surface. - Remediate processes
Finally, you should determine what existing practices need to be changed or what new processes you’ll need to achieve GDPR compliance. Depending on the scope of your business with EU residents, that may include establishing clear (and documented) accountability for compliance, reviewing the context for lawful processing and third-party contracts, and developing policies and protocols to execute on any data deletion request. It also means regularly reviewing your processes to ensure you’re staying compliant.
The worst thing you can do right now is be complacent. Tools like PwC’s GDPR Readiness Assessment Tool can provide a top-down assessment to help prioritize your efforts and benchmark against peers and companies across the globe. Privacy protection, now more than ever, can be used as a strategic differentiator to gain market share both locally and internationally. Taking data privacy seriously today could give you the added edge to secure the funding opportunities, buyout, or high valuations you are looking for.
For more information on what to do next, read our overview of GDPR policies and recommended actions or reach out to me directly for guidance.
